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We claim: 




computer program product embodied on computer readable media readable by a 
systdm in a computing environment, for enforcing security policy using style sheet 



processing, comprising: 

an input document; 

one or more stored policy enforcement objects, wherein each of said stored policy 
enforcement object^ specifies a security policy to be associated with zero or more elements of said 
input document; 

a Document Ttape Definition (DTD) corresponding to said input document, wherein said 
DTD has been augmented with one or more references to selected ones of said stored policy 
enforcement objects; 

an augmented style sheet processor, wherein said augmented processor further comprises: 

computerlreadable program code means for loading said DTD; 

computer^readable program code means for resolving each of said one or more 
references in said loaded DTD; 

computer-readable program code means for instantiating said policy enforcement 
objects associated with saidlresolved references; 

computer-readable program code means for executing selected ones of said 
instantiated policy enforcement objects during application of one or more style sheets to said input 
document, wherein a result of said computer-readable program code means for executing is an 
interim transient document reflecting said execution; 
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interim transient document, 
may be used to encrypt one 



computer-re&dable program code means for generating one or more random 
encryption keys; 

computer-re idable program code means for encrypting selected elements of said 
wherein a particular one of said generated random encryption keys 
3r more of said selected elements, while leaving zero or more other 
elements of said interim transient document unencrypted; 

computer-reaiable program code means for encrypting each of said one or more 
random encryption keys; and 

computer-rea iable program code means for creating an encrypted output 
document comprising said zero or more other unencrypted elements, said selected encrypted 

encryption keys; 

computer-readable pr 5gram code means for requesting said encrypted output document 
by a key recovery agent; 



elements, and said encrypted 



and 



computer-readable program code means for receiving said requested output document; 



an augmented docume nt processor, comprising: 

computer-readable program code means for decrypting each of said encrypted 
encryption keys; and 

computer-readible program code means for decrypting said requested output 
document using said decryptec keys, thereby creating a result document. 
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1 2. The computer program product according to Claim 1, further comprising computer- 

2 readable program code means for rendering said result document on said client device. 

1 3. The computer program product according to Claim 1, wherein said interim transient 

2 document comprises one or more encryption tags identifying elements needing encryption. 
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4. The computer program product according to Claim 1, wherein said input document is 
specified in an Extensible Marktop Language (XML) notation. 

5. The computer program product according to Claim 4, wherein said result document is 
specified in said XML notatior . 



6. The computer progranji 
enforcement objects further 
method for evaluating said 
program code means for 
executing said computer- 



product according to Claim 1, wherein said stored policy 
comprise computer-readable program code means for overriding a 
elejments of said input document, and wherein said computer-readable 
executing further comprises computer-readable program code means for 
readable program code means for overriding. 



7. The computer program 
specified in an Extensible Sty 



product according to Claim 6, wherein said style sheets are 
esheet Language (XSL) notation. 
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method of said XSL notation, and 
overriding said value-of method is 



8. The computer program product according to Claim 7, wherein said method is a value-of 



wherein said computer-readable program code means for 
>y subclassing said value-of method. 



computer-readable 
computer-readable 



9. The computer program product according to Claim 6 or Claim 8, wherein: 
said overridden method co nprises: 

program code means for generating encryption tags; and 
program code means for inserting said generated encryption 
tags into said interim transient do< niment to surround elements of said interim transient document 
which are determined to require encryption; and 

said computer-readable program code means for encrypting selected elements encrypts 
those elements surrounded by said inserted encryption tags. 

10. The computer program product according to Claim 2, wherein: 



each of said instantiated 
a specification o 



at least one of: (1) one or more 
(2) one or more groups which 
one or more individual users oi 



)olicy enforcement objects further comprises: 

a community that is authorized to view said elements associated 



with said security policy, said sp ecification of said communities further comprising specification of 



individual users or processes which are community members, and 
a(re community members, wherein each of said groups comprises 
processes; and 



an encryption requirement for said elements associated with said security policy. 
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1 1 . The computer program 
requirement further comprises spec 



product according to Claim 10, wherein said encryption 
ication of an encryption algorithm. 



12. The computer program product according to Claim 10, wherein said encryption 
requirement further comprises specification of an encryption algorithm strength value. 



13. The computer program product according to Claim 10, wherein: 

said computer-readable program code means for encrypting said encryption keys further 
comprises: 

computer-readable program code means for encrypting a different version of each 
of said random encryption keys for each of said one or more members of each of zero or more of 
said communities which uses /said encryption key, and wherein each of said different versions is 
encrypted using a public key/ of said community member for which said different version was 
encrypted; and 

computer-readable program code means for ensuring that said key recovery agent 
is one of said members of each of said communities, thereby ensuring that one of said different 
versions is encrypted using said public key of said key recovery agent. 



14. The computer program product according to Claim 10, wherein said encryption 
requirement may have a/null value to indicate that said specified security policy does not require 
encryption. 
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15. The computer program product according to Claim 1, wherein said computer-readable 
program code means for encrypting selected elements uses a cipher block chaining mode 
encryption process. 1 



16. The computer program product according to Claim 13, further comprising: 

computer-readable program code means for creating a key class for each unique 
community, wherein said key class is associated with each of said encrypted elements for which 
this unique community is an authorized viewer, and wherein said key class comprises: (1) a 
strongest encryption requirement of said associated encrypted elements; (2) an identifier of each 
of said members of said unique com nunity; and (3) one of said different versions of said 
encrypted encryption key for each of said identified community members; and 
wherein: 



said computer-readab 
random encryption keys generates a 
said key classes, and wherein each 
from said generated encryption key 

said computer-readab 
that one of said particular random 
which said selected element is associated 



e program code means for generating said one or more 
)articular one of said random encryption keys for each of 
off said different versions in a particular key class is encrypted 
generated for said key class; and 
e program code means for encrypting selected elements uses 
encryption keys which was generated for said key class with 



1 7. The computer program product according to Claim 13, wherein 
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said computer-readable prograqi code means for decrypting said requested output 
document further comprises: 

computer-readable program code means for decrypting, for each of said 
communities, said different version of said random encryption key which was encrypted using said 
public key of said key recovery agent, fwherein said computer-readable program code means for 
decrypting uses a private key of said tyey recovery agent, thereby creating a decrypted key for 
each of said communities; and 

computer-readable program code means for decrypting each of said encrypted 
elements in said requested output do sument using said decrypted keys; and 

said computer-readable prog r am code means for rendering further comprises: 

computer-readable ppgram code means for rendering said decrypted elements and 
said other unencrypted elements. 



18. The computer program product according to Claim 16, wherein: 

said computer-readable prpgram code means for decrypting said requested output 
document further comprises: 

computer-readabfe program code means for decrypting, for each of said key 
classes, said different version of/said random encryption key in said key class which was encrypted 
using said public key of said key recovery agent, wherein said computer-readable program code 
means for decrypting uses a private key of said key recovery agent which is associated with said 



public key which was used for 



encryption, thereby creating a decrypted key; and 
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computer-readable program code means for decrypting each of said encrypted 
elements in said requested output document using said decrypted keys; and 

said computer-readable program code means for rendering further comprises: 

computer-readable program oode means for rendering said decrypted elements and 
said other unencrypted elements. / 

19. The computer program product according to Claim 1, wherein said DTD is replaced by a 
schema. / 

20. The computer progranrproduct according to Claim 10, wherein said encryption 
requirement further comprises specification of an encryption key length. 

21. The computer program product according to Claim 9, wherein said inserted encryption 
tags may surround either values of said elements or values and tags of said elements. 

22. A system for enforcing security policy using style sheet processing in a computing 
environment, comprising: 

an inpiat document; 

one or more stored policy enforcement objects, wherein each of said stored policy 
enforcement objects specifies a security policy to be associated with zero or more elements of said 
input document; 
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7 a Document Type Definition (DTD) corrett)onding to said input document, wherein said 

8 DTD has been augmented with one or more references to selected ones of said stored policy 

9 enforcement objects; / 

10 an augmented style sheet processor, wherein said augmented processor further comprises: 

1 1 means for loading said DTD; I 

12 means for resolving each of said/one or more references in said loaded DTD; 

13 means for instantiating said policy enforcement objects associated with said 

14 resolved references; / 

15 means for executing selected ones of said instantiated policy enforcement objects 
16iD during application of one or more style sheets to said input document, wherein a result of said 
17;,H means for executing is an interim transient document reflecting said execution; 

1 8j fj means for generating one on more random encryption keys; 

19, means for encrypting selected elements of said interim transient document, wherein 

2013 a particular one of said generated randonv encryption keys may be used to encrypt one or more of 

21^ said selected elements, while leaving zero or more other elements of said interim transient 

22" document unencrypted; / 

23 means for encrypting each of said one or more random encryption keys; and 

24 means for creating an encrypted output document comprising said zero or more 

25 other unencrypted elements, said selected encrypted elements, and said encrypted encryption 

26 keys; / 

27 means for requesting said encrypted output document by a key recovery agent; 

28 means for receiving said requested output document; and 
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an augmented document processor, comprising: 

means for decrypting each of said encrypted encryption keys; and 
means for decrypting syd requested output document using said decrypted keys, 
thereby creating a result document. 

23. The system according to Claifn 22, further comprising means for rendering said result 
document on said client device. 

24. The system according to Claim 22, wherein said interim transient document comprises one 
or more encryption tags identifying elements needing encryption. 

25. The system according to Claim 22, wherein said input document is specified in an 
Extensible Markup Language (XML) notation. 

26. The system according t<j Claim 25, wherein said result document is specified in said XML 
notation. 

27. The system according/to Claim 22, wherein said stored policy enforcement objects further 
comprise means for overriding a method for evaluating said elements of said input document, and 
wherein said means for executing further comprises means for executing said computer-readable 
program code means for overriding. 
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aim 27, wherein said style sheets are specified in an Extensible 



28. The system according to ( 
Stylesheet Language (XSL) notation 

29. The system according to Claim 28, wherein said method is a value-of method of said XSL 
notation, and wherein said means fipr overriding said value-of method is by subclassing said 
value-of method. 

30. The system according to Clbim 27 or Claim 29, wherein: 
said overridden method comprises: 



means for generating 
means for inserting 
document to surround elements of fcaid 



encryption tags; and 
*aid generated encryption tags into said interim transient 
interim transient document which are determined to 



require encryption; and 

said means for encrypting selected elements encrypts those elements surrounded by said 
inserted encryption tags. 

3 1 . The system according to CL dm 23, wherein: 

each of said instantiated policy enforcement objects further comprises: 

a specification of a c ommunity that is authorized to view said elements associated 
with said security policy, said speci acation of said communities further comprising specification of 
at least one of: (1) one or more inc ividual users or processes which are community members, and 
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(2) one or more groups which art 
one or more individual users or 



32. The system according to C 



community members, wherein each of said groups comprises 
processes; and 

an encryption requirement for said elements associated with said security policy. 



aim 31, wherein said encryption requirement further comprises 



specification of an encryption algoiithm. 



3 3 . The system according to 
specification of an encryption 



Clftim 31, wherein said encryption requirement further comprises 
algorithm strength value. 



34. The system according to Ch im 3 1 , wherein: 

said means for encrypting sa id encryption keys further comprises: 

means for encrypting a different version of each of said random encryption keys 
for each of said one or more membe *s of each of zero or more of said communities which uses 
said encryption key, and wherein eac h of said different versions is encrypted using a public key of 
said community member for which si rid different version was encrypted; and 

means for ensuring that said key recovery agent is one of said members of each of 
said communities, thereby ensuring t lat one of said different versions is encrypted using said 
public key of said key recovery ager 



35. The system according to 
value to indicate that said specified 
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Claim 31, wherein said encryption requirement may have a null 
slecurity policy does not require encryption. 
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36. The system according to Claim 22, \4herein said means for encrypting selected elements 
uses a cipher block chaining mode encryptioi process. 



37. The system according to Claim 34, further comprising: 

means for creating a key class for eacn unique community, wherein said key class is 
associated with each of said encrypted elements for which this unique community is an authorized 
viewer, and wherein said key class comprises: (1) a strongest encryption requirement of said 
associated encrypted elements; (2) an identifier of each of said members of said unique 
community; and (3) one of said different versions of said encrypted encryption key for each of 
said identified community members; and 

wherein: 

said means for generating said one or more random encryption keys generates a 
particular one of said random encryption kevs for each of said key classes, and wherein each of 
said different versions in a particular key class is encrypted from said generated encryption key 
generated for said key class; and 

said means for encrypting selected elements uses that one of said particular random 
encryption keys which was generated for said key class with which said selected element is 
associated. 



38. The system according to Claim 34, wherein: 

said means for decrypting said requested output document further comprises: 
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means for decrypting, for 



each of said communities, said different version of said 



random encryption key which was encrypted using said public key of said key recovery agent, 
wherein said means for decrypting uses ^ private key of said key recovery agent, thereby creating 
a decrypted key for each of said commijnities; and 

means for decrypting each of said encrypted elements in said requested output 



document using said decrypted keys; ar d 
said means for rendering further 
means for rendering said 



comprises: 

decrypted elements and said other unencrypted elements. 



2 7, 



39. The system according to Claim 
said means for decrypting said 
means for decrypting, 
random encryption key in said key class 
recovery agent, wherein said means for 
which is associated with said public key 
decrypted key; and 

means for decrypting eacl 
document using said decrypted keys; and 
said means for rendering further 
means for rendering said 



wherein: 

requested output document further comprises: 
fori each of said key classes, said different version of said 
vhich was encrypted using said public key of said key 
c ecrypting uses a private key of said key recovery agent 
which was used for encryption, thereby creating a 

of said encrypted elements in said requested output 

domprises: 



decrypted elements and said other unencrypted elements. 



40. The system according to Claim 2: 
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1 41. The system according to Claim 3 1 , 

2 specification of an encryption key length. 
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42. The system according to Claim 30, 
either values of said elements or values anc 



wherein said encryption requirement further comprises 



wherein said inserted encryption tags may surround 
tags of said elements. 



43 . A method for enforcing security policy using style sheet processing in a computing 
environment, comprising the steps of: 
providing an input document; 

providing one or more stored polity enforcement objects, wherein each of said stored 
policy enforcement objects specifies a security policy to be associated with zero or more elements 
of said input document; 

providing a Document Type Definition (DTD) corresponding to said input document, 
wherein said DTD has been augmented vfith one or more references to selected ones of said 
stored policy enforcement objects; 

executing an augmented style sh^et processor, further comprising the steps of: 
loading said DTD; 

resolving each of said on j or more references in said loaded DTD; 
instantiating said policy (jnforcement objects associated with said resolved 



references; 
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15 executing selected ones of said instantiated policy enforcement objects during 

16 application of one or more style sheets to said input document, wherein a result of said step of 

17 executing is an interim transient document reflecting said execution; 

1 8 generating one or more random encryption keys; 

19 encrypting selected elements of said interim transient document, wherein a 

20 particular one of said generated random encryption keys may be used to encrypt one or more of 

21 said selected elements, while leaving zero or more other elements of said interim transient 

22 document unencrypted; / 

23 encrypting each of said one or more random encryption keys; and 

Q I 

24rP creating an encrypted output document comprising said zero or more other 

25^ unencrypted elements, said selected decrypted elements, and said encrypted encryption keys; 

: iLJi / 

26 = H requesting said encrypted oinput document by a key recovery agent; 

2% receiving said requested ouiput document; and 

\*± I 
28;3 executing an augmented document processor, further comprising the steps of: 

2<H decrypting each o(F said encrypted encryption keys; and 

3(>- decrypting said requested output document using said decrypted keys, thereby 

3 1 creating a result document. / 

1 44. The method according to Claim 43, further comprising the step of rendering said result 

2 document on said client device. 
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45. The method according to Claim 43, x therein said interim transient document comprises 
one or more encryption tags identifying elements needing encryption. 



46. The method according to Claim 43, wherein said input document is specified in an 
Extensible Markup Language (XML) notation. 

47. The method according to Claim 46, \ /herein said result document is specified in said XML 
notation. 

48. The method according to Claim 43, wherein said stored policy enforcement objects further 
comprise executable code for overriding a method for evaluating said elements of said input 
document, and wherein said executing selected ones step further comprises overriding said 
method for evaluating. 



49. The method according to Claim 48, 
Stylesheet Language (XSL) notation. 



wherein said style sheets are specified in an Extensible 
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50. The method according to Claim 49, (wherein said method is a value-of method of said XSL 
notation, and wherein said step of overriding said value-of method is by subclassing said value-of 
method. 

51. The method according to Claim 48 6r Claim 50, wherein; 
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said step of overriding further coir prises the steps of: 



and 



generating encryption tagsp 
inserting said generated etjcryptioi 

surround elements of said interim transient 

and 



n tags into said interim transient document to 
document which are determined to require encryption; 



said step of encrypting selected elpments encrypts those elements surrounded by said 
inserted encryption tags. 

52. The method according to Claim 44, wherein: 

each of said instantiated policy enforcement objects further comprises: 

a specification of a community that is authorized to view said elements associated 
with said security policy, said specification of said communities further comprising specification of 
at least one of: (1) one or more individu d users or processes which are community members, and 
(2) one or more groups which are community members, wherein each of said groups comprises 
one or more individual users or processes; and 

an encryption requiremer t for said elements associated with said security policy. 



53. The method according to Claim 
comprises specification of an encryption 



54. The method according to Claim 
comprises specification of an encryption 



52, wherein said encryption requirement further 
algorithm. 



52, wherein said encryption requirement further 
algorithm strength value. 
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55. The method according to Claim 52, wherein: 

said step of encrypting said encryption keys further comprises the steps of: 

encrypting a different version of each of said random encryption keys for each of 
said one or more members of each of zero or more of said communities which uses said 
encryption key, and wherein each of sajd different versions is encrypted using a public key of said 
community member for which said different version was encrypted; and 

ensuring that said key r scovery agent is one of said members of each of said 
communities, thereby ensuring that on$ of said different versions is encrypted using said public 
key of said key recovery agent. 



56. The method according to Claim 
value to indicate that said specified security 



52, wherein said encryption requirement may have a null 
ity policy does not require encryption. 



57. The method according to Claifi 43, wherein said step of encrypting selected elements uses 
a cipher block chaining mode encryption process. 

58. The method according to Claim 55, further comprising the step of: 
creating a key class for each i nique community, wherein said key class is associated with 

each of said encrypted elements for \ rtiich this unique community is an authorized viewer, and 

a strongest encryption requirement of said associated 
)f each of said members of said unique community; and (3) 



wherein said key class comprises: (1 
encrypted elements; (2) an identifier 
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one of said different versions of said encrypted encryption key for each of said identified 
community members; and 



wherein: 

said step of generating 
particular one of said random encryption 
said different versions in a particular 
generated for said key class; and 

said step of encryptin 
encryption keys which was generatec 
associated. 



said one or more random encryption keys generates a 

keys for each of said key classes, and wherein each of 
cey class is encrypted from said generated encryption key 

selected elements uses that one of said particular random 
for said key class with which said selected element is 



59. The method according to Claim 55, wherein: 

said step of decrypting said rec [uested output document further comprises the steps of: 

decrypting, for each of said communities, said different version of said random 
encryption key which was encrypted u sing said public key of said key recovery agent, wherein 
said step of decrypting uses a private kjey of said key recovery agent, thereby creating a decrypted 
key for each of said communities; and 

decrypting each of said 
using said decrypted keys; and 

said step of rendering further comprises the step of: 

rendering said decrypted elements and said other unencrypted elements. 



encrypted elements in said requested output document 
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60. The method according to Cpaim 58, wherein: 

said step of decrypting said requested output document further comprises the steps of: 
decrypting, for each of said key classes, said different version of said random 
encryption key in said key class which was encrypted using said public key of said key recovery 

ng uses a private key of said key recovery agent which is 
:h was used for encryption, thereby creating a decrypted key; 



agent, wherein said step of decrypt 
associated with said public key whi 



and 

decrypting each of sAid encrypted elements in said requested output document 



using said decrypted keys; and 

said step of rendering further 



comprises the step of: 



rendering said decrypted elements and said other unencrypted elements. 



61 . The method according to Claim 43, wherein said DTD is replaced by a schema. 



62. The method according to 
comprises specification of an 



Clajm 52, wherein said encryption requirement further 
encryption key length. 



63. The method according to Claim 51, wherein said inserted encryption tags may surround 



either values of said elements or valu 



3S and tags of said elements. 



RSW9-99-113 



-107- 



